Joint industry letter on trialogue negotiations on the Cybersecurity Act

The ongoing negotiations between the European Parliament and the Council to set up an EU cybersecurity certification framework will have profound implications for the future of Europe’s industrial system, European companies being the first impacted by the final design of the framework.

Members of the co-signing associations are developing the ICT products, services and processes that will be the source for Europe’s innovation, growth and competitiveness in core sectors of the digitised economy – industrial applications, connected and autonomous vehicles, medical technology and more. Protecting the safety, reliability and security of our companies’ products and systems is part and parcel of their future success.

We have always been committed to these goals and have extensive experience with the EU’s longstanding placing on the market and market surveillance frameworks. In this context, the cybersecurity certification framework should be a way to boost the EU’s competitiveness – it should not prevent innovation due to a rigid approach. The framework should act as an opportunity for innovators to add value to their offerings and better compete in fast-changing markets, while improving security. The final Cybersecurity Act, therefore, should be flexible and future-proof, which means:

Industry involvement needs to be a central element in the development of certification schemes. Without structured industry input in all phases of the schemes’ development and the ability for industry experts to participate in the development of individual schemes as needed, the framework will not generate state-of-the-art or market-relevant outcomes. We support the European Parliament’s amendment to have ad hoc consultation groups for each scheme (Article 20a).

The framework should not make schemes mandatory from the start. The competitiveness of our members and their growth opportunities would be severely hampered if certification were to be conceived as a market access barrier, before the market itself is mature enough to warrant mandatory schemes. We urge a careful reconsideration of the mandatory aspects introduced by the European Parliament (new article 48a).

Self-assessment, including declaration of conformity, has for decades been a tried and wellrespected procedure for companies to demonstrate their compliance with essential health and safety requirements for connected products. In markets that have not yet been fully developed or that are changing at an unprecedented pace, new features and products would take an inordinate amount of time to reach professional customers and consumers if they were to undergo lengthy and cost-intensive third-party certification procedures, especially for SMEs. We support provisions of the European Parliament and Council introducing the possibility for self-assessment and regret its limited applicability to the most basic cybersecurity risk, which does not match the need for a substantial assurance level in most industrial applications.

Interoperability with existing international agreements, regulations and standards should be embedded in the development of future schemes. Our members need scale not just on the European market but also globally, and it is vital that European certification schemes do not reduce the addressable market. We oppose Article 47(1)(b) of the Council’s General Approach in the part providing for the possibility to introduce ‘technical specifications or other
cybersecurity requirements’ in a scheme, if standards or technical specifications are not available.

Our associations want to make the EU cybersecurity certification framework a success for both the security and the competitiveness of our industries, and therefore urge the co-legislators to focus on the above points.